Burrowing ideas | account to attack of a several common techniques-vulnerability warning-the black bar safety net

Description

web security incidents, the account, is usually presented to the attacker's first point of contact with account-related functions if there is a defect, an attacker can obtain the key information and important features, such as, the login fails, the error message can determine whether the because the account does not exist due to, which can be exploited to enumerate valid account, for example, login trial and error without the number of restrictions that can lead to storms break the password, such as, the registration process of each step is not strictly associated, resulting in the bulk registration to any account again, the password retrieve function of each step is not a strict Association, to cause the arbitrary account password reset.
I'm in daily penetration encountered a while the presence of these types of issues website https://www.xxxx.com/, the website is a e-Commerce platform, a reasonable combination of several types of problems, then get the administrator privileges, the vulnerability has now been submitted and confirm the Fix, ideas to share to everyone.
Before you begin, say a habit, many sites points to the PC version and the mobile version, the mobile version often for feature reduction, the corresponding security Defense is also weak,“persimmon rarity soft pinch”, so, I will first as much as possible to find out the site's mobile version. Specifically, my habit of first using a mobile phone to directly access, the service end will automatically jump to the mobile version, extract the mobile version of the access address; if you feel the phone on the input URL troublesome, you can install firefox's useragent-switcher（https://mybrowseraddon.com/useragent-switcher.html expansion, Analog mobile terminal to access; of course, other means may also be considered, you can pass the subdomain enumeration tool Sublist3r（https://github.com/aboul3la/Sublist3r find similar https://m.xxxx.com/ phone version, it can also be through the path enumeration tool dirsearch（https://github.com/maurosoria/dirsearch find similar https://www. xxxx. com/wap mobile phone version, you can also google hacking （inurl:xxxx.com the mobile terminal find like-https://www. xxxx. com/mobile.
The account can be enumerated
On the login page https://www.xxxx.com/Wap/User/login enter the account password:
!
After the submission of the intercept request, if the account does not exist then the server response is:
!
If the account exists then the server response is:
!
The analysis found that, although the response is very similar, but there are still differences, the effective account number ratio of the invalid account number more than a“you”, or, from the response body length can also be determined that the account is valid. At the same time, the server does not limit the high-frequency access, so, you can enumerate valid account.
The mobile parameter value set for an enumeration variable, to the common Chinese name Pinyin top500 and common back office account as a dictionary, in the enumeration results, the response packet length for the 561 is a valid account:
!
Wherein both chenying, the chenyun such normal account, also with admin, ceshi such a background account, the result is stored as username.txt to:
!
The password can be the storm to break
The service end has the password of trial and error and the upper limit of the mechanism, the error 5 times within one hour prohibited login:
!
View login request:
!
logintime parameter name and parameter value caught my attention, just is trial and error the upper limit of 5, try to assign the value to 4, server and the normal response, or delete the rectification logintime, also can bypass the trial-and-error limit.
Now, with delete logintime after the request packet, the mobile is defined as the enumeration variable 1, the previous generation of username.txt for the dictionary, the password defined for the enumeration variable 2, in a common weak password top1000 of the dictionary, for password storm break:
!
Wherein the response packet length for the 380 is a valid password, the memory for logined.txt to:
!
Any account registration
On the registration page https://www.xxxx.com/Wap/User/register input is not the registered mobile number click on“get verification code”, enter the received SMS verification code after submission, enter the password settings page:
!
Enter the password and intercept the request:
!
A simple analysis found that register_mobile for the registration of the user name, as long as the value of the parameter is not registered, the request packet can bypass the SMS verification successfully create any account.
For example, the system was only allowed to use the phone number when the user name to be registered, the use of the vulnerability, you can create an account yangyangwithgnu/abcd1234, the login confirmation:
!

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018

Protected by

{"cvelist": [], "id": "MYHACK58:62201889685", "type": "myhack58", "history": [], "description": "web security incidents, the account, is usually presented to the attacker's first point of contact with account-related functions if there is a defect, an attacker can obtain the key information and important features, such as, the login fails, the error message can determine whether the because the account does not exist due to, which can be exploited to enumerate valid account, for example, login trial and error without the number of restrictions that can lead to storms break the password, such as, the registration process of each step is not strictly associated, resulting in the bulk registration to any account again, the password retrieve function of each step is not a strict Association, to cause the arbitrary account password reset. \nI'm in daily penetration encountered a while the presence of these types of issues website https://www.xxxx.com/, the website is a e-Commerce platform, a reasonable combination of several types of problems, then get the administrator privileges, the vulnerability has now been submitted and confirm the Fix, ideas to share to everyone. \nBefore you begin, say a habit, many sites points to the PC version and the mobile version, the mobile version often for feature reduction, the corresponding security Defense is also weak,\u201cpersimmon rarity soft pinch\u201d, so, I will first as much as possible to find out the site's mobile version. Specifically, my habit of first using a mobile phone to directly access, the service end will automatically jump to the mobile version, extract the mobile version of the access address; if you feel the phone on the input URL troublesome, you can install firefox's useragent-switcher\uff08https://mybrowseraddon.com/useragent-switcher.html expansion, Analog mobile terminal to access; of course, other means may also be considered, you can pass the subdomain enumeration tool Sublist3r\uff08https://github.com/aboul3la/Sublist3r find similar https://m.xxxx.com/ phone version, it can also be through the path enumeration tool dirsearch\uff08https://github.com/maurosoria/dirsearch find similar https://www. xxxx. com/wap mobile phone version, you can also google hacking \uff08inurl:xxxx.com the mobile terminal find like-https://www. xxxx. com/mobile. \nThe account can be enumerated \nOn the login page https://www.xxxx.com/Wap/User/login enter the account password: \n! [](/Article/UploadPic/2018-3/20183919552450. png? www. myhack58. com) \nAfter the submission of the intercept request, if the account does not exist then the server response is: \n! [](/Article/UploadPic/2018-3/20183919552966. png? www. myhack58. com) \nIf the account exists then the server response is: \n! [](/Article/UploadPic/2018-3/20183919553890. png? www. myhack58. com) \nThe analysis found that, although the response is very similar, but there are still differences, the effective account number ratio of the invalid account number more than a\u201cyou\u201d, or, from the response body length can also be determined that the account is valid. At the same time, the server does not limit the high-frequency access, so, you can enumerate valid account. \nThe mobile parameter value set for an enumeration variable, to the common Chinese name Pinyin top500 and common back office account as a dictionary, in the enumeration results, the response packet length for the 561 is a valid account: \n! [](/Article/UploadPic/2018-3/20183919553880. png? www. myhack58. com) \nWherein both chenying, the chenyun such normal account, also with admin, ceshi such a background account, the result is stored as username.txt to: \n! [](/Article/UploadPic/2018-3/20183919553347. png? www. myhack58. com) \nThe password can be the storm to break \nThe service end has the password of trial and error and the upper limit of the mechanism, the error 5 times within one hour prohibited login: \n! [](/Article/UploadPic/2018-3/20183919553778. png? www. myhack58. com) \nView login request: \n! [](/Article/UploadPic/2018-3/20183919553962. png? www. myhack58. com) \nlogintime parameter name and parameter value caught my attention, just is trial and error the upper limit of 5, try to assign the value to 4, server and the normal response, or delete the rectification logintime, also can bypass the trial-and-error limit. \nNow, with delete logintime after the request packet, the mobile is defined as the enumeration variable 1, the previous generation of username.txt for the dictionary, the password defined for the enumeration variable 2, in a common weak password top1000 of the dictionary, for password storm break: \n! [](/Article/UploadPic/2018-3/20183919553999. png? www. myhack58. com) \nWherein the response packet length for the 380 is a valid password, the memory for logined.txt to: \n! [](/Article/UploadPic/2018-3/20183919553814. png? www. myhack58. com) \nAny account registration \nOn the registration page https://www.xxxx.com/Wap/User/register input is not the registered mobile number click on\u201cget verification code\u201d, enter the received SMS verification code after submission, enter the password settings page: \n! [](/Article/UploadPic/2018-3/20183919553920. png? www. myhack58. com) \nEnter the password and intercept the request: \n! [](/Article/UploadPic/2018-3/20183919553755. png? www. myhack58. com) \nA simple analysis found that register_mobile for the registration of the user name, as long as the value of the parameter is not registered, the request packet can bypass the SMS verification successfully create any account. \nFor example, the system was only allowed to use the phone number when the user name to be registered, the use of the vulnerability, you can create an account yangyangwithgnu/abcd1234, the login confirmation: \n! [](/Article/UploadPic/2018-3/20183919553152. png? www. myhack58. com)\n\n**[1] [[2]](<89685_2.htm>) [next](<89685_2.htm>)**\n", "lastseen": "2018-03-12T15:43:54", "reporter": "\u4f5a\u540d", "href": "http://www.myhack58.com/Article/html/3/62/2018/89685.htm", "modified": "2018-03-09T00:00:00", "title": "Burrowing ideas | account to attack of a several common techniques-vulnerability warning-the black bar safety net", "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "25f2e3d1a9a9a589dd488c2ca596fe2a"}, {"key": "href", "hash": "f6f7ade37244c53df401bab247311667"}, {"key": "modified", "hash": "1af8f5ddbc79deb31718b69b9d59d5a8"}, {"key": "published", "hash": "1af8f5ddbc79deb31718b69b9d59d5a8"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "645396391020478112635e14b34a0f8b"}, {"key": "title", "hash": "abf5b98925a2e6321dcc8fb840705e42"}, {"key": "type", "hash": "0665a8b0792e65b50ab13aef58a018dc"}], "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "info", "viewCount": 2, "references": [], "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "published": "2018-03-09T00:00:00", "hash": "809ffa50bbbd78c73af2910fc5ff3f63b05d0d5b0f74f444997fb5321b1c509f", "objectVersion": "1.3"}